You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Joe Orton <jo...@redhat.com> on 2006/10/16 12:38:14 UTC
Re: MD4/MD5 implementation is non-free
An argument has been made that the third-party MD4/MD5 code in APR
(specifically, APR-util) is licensed such that it is not permissible to
distribute modified works.
Could we get confirmation of this interpretation? The license header
reads as follows:
* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
* rights reserved.
*
* License to copy and use this software is granted provided that it
* is identified as the "RSA Data Security, Inc. MD4 Message-Digest
* Algorithm" in all material mentioning or referencing this software
* or this function.
*
* License is also granted to make and use derivative works provided
* that such works are identified as "derived from the RSA Data
* Security, Inc. MD4 Message-Digest Algorithm" in all material
* mentioning or referencing the derived work.
*
* RSA Data Security, Inc. makes no representations concerning either
* the merchantability of this software or the suitability of this
* software for any particular purpose. It is provided "as is"
* without express or implied warranty of any kind.
*
* These notices must be retained in any copies of any part of this
* documentation and/or software.
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Jan 7, 2007, at 9:44 AM, Garrett Rooney wrote:
> Uhh, anyone? It'd be really great if someone with more clue in this
> are (Cliff, Roy, one of our lawyers, etc) could take a look at this
> and let me know if it resolves our problem or not. If not, I'll look
> into an alternate solution (either asking RSA for an explicit
> clarification or replacing the code somehow).
I thought we did. The "clarification" is completely vague
Implementations of these message-digest algorithms, including
implementations derived from the reference C code in RFC-1319,
RFC-1320, and RFC-1321, may be made, used, and sold without
license from RSA for any purpose.
No rights other than the ones explicitly set forth above are
granted. Further, although RSA grants rights to implement certain
algorithms as defined by identified RFCs, including implementations
derived from the reference C code in those RFCs, no right to use,
copy, sell, or distribute any other implementations of the MD2, MD4,
or MD5 message-digest algorithms created, implemented, or distributed
by RSA is hereby granted by implication, estoppel, or otherwise.
So we can implement them, make them, use them, and even sell them,
but no permission to distribute them to third parties?
When I did a search the last time, I found at least three other
implementations based on public domain code and three more that
were probably derived from the RFC with further optimizations.
The best two independent ones are by L. Peter Deutsch (new BSD
license) and Colin Plumb (public domain). The latter was apparently
extended by "Solar Designer" and included in dovecot-1.0. The
non-independent implementations are inside the RFC, distributed
with bug fixes by Jim Ellis, and an optimized version of the RFC code
by Joe Touch. The one in OpenSSL is by Eric Young, and though he
claims copyright and demands advertising, he also has comments saying
the code is derived from the RFC (okay if the code merely implements
the MD5 algorithm in the RFC without using the appendix).
That's how far I got before running out of time. We should just
compare the speed of each of these and use whichever is best.
....Roy
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Jan 7, 2007, at 9:44 AM, Garrett Rooney wrote:
> Uhh, anyone? It'd be really great if someone with more clue in this
> are (Cliff, Roy, one of our lawyers, etc) could take a look at this
> and let me know if it resolves our problem or not. If not, I'll look
> into an alternate solution (either asking RSA for an explicit
> clarification or replacing the code somehow).
I thought we did. The "clarification" is completely vague
Implementations of these message-digest algorithms, including
implementations derived from the reference C code in RFC-1319,
RFC-1320, and RFC-1321, may be made, used, and sold without
license from RSA for any purpose.
No rights other than the ones explicitly set forth above are
granted. Further, although RSA grants rights to implement certain
algorithms as defined by identified RFCs, including implementations
derived from the reference C code in those RFCs, no right to use,
copy, sell, or distribute any other implementations of the MD2, MD4,
or MD5 message-digest algorithms created, implemented, or distributed
by RSA is hereby granted by implication, estoppel, or otherwise.
So we can implement them, make them, use them, and even sell them,
but no permission to distribute them to third parties?
When I did a search the last time, I found at least three other
implementations based on public domain code and three more that
were probably derived from the RFC with further optimizations.
The best two independent ones are by L. Peter Deutsch (new BSD
license) and Colin Plumb (public domain). The latter was apparently
extended by "Solar Designer" and included in dovecot-1.0. The
non-independent implementations are inside the RFC, distributed
with bug fixes by Jim Ellis, and an optimized version of the RFC code
by Joe Touch. The one in OpenSSL is by Eric Young, and though he
claims copyright and demands advertising, he also has comments saying
the code is derived from the RFC (okay if the code merely implements
the MD5 algorithm in the RFC without using the appendix).
That's how far I got before running out of time. We should just
compare the speed of each of these and use whichever is best.
....Roy
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 1/2/07, Garrett Rooney <ro...@electricjellyfish.net> wrote:
> On 10/17/06, Cliff Schmidt <cl...@gmail.com> wrote:
> > Joe,
> >
> > Not seeing the word "distribute" in the license, I would agree this
> > needs to be clarified. There's an interesting mix of copyright terms
> > ("copy", "derivative works"), patent terms ("use", "make"), and even
> > an attribution requirement that is typically associated with
> > distribution. However, without a word like "distribute" (or even
> > "communicate"), I agree we should get some clarification on this.
>
> There's a memo on the IETF site that may clarify some things here...
>
> http://www.ietf.org/ietf/IPR/RSA-MD-all
>
> I'm not sure if this helps us or not, it says that derivative works
> can be sold, but doesn't seem to explicitly say if they can be
> distributed. Wouldn't "sold" imply distribution though? If someone
> with more of a clue in this matter could take a look and see if that
> memo resolves things, or if we need to do some more leg work to be
> sure that would be great.
Uhh, anyone? It'd be really great if someone with more clue in this
are (Cliff, Roy, one of our lawyers, etc) could take a look at this
and let me know if it resolves our problem or not. If not, I'll look
into an alternate solution (either asking RSA for an explicit
clarification or replacing the code somehow).
Thanks,
-garrett
Re: MD4/MD5 implementation is non-free
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 1/2/07, Garrett Rooney <ro...@electricjellyfish.net> wrote:
> On 10/17/06, Cliff Schmidt <cl...@gmail.com> wrote:
> > Joe,
> >
> > Not seeing the word "distribute" in the license, I would agree this
> > needs to be clarified. There's an interesting mix of copyright terms
> > ("copy", "derivative works"), patent terms ("use", "make"), and even
> > an attribution requirement that is typically associated with
> > distribution. However, without a word like "distribute" (or even
> > "communicate"), I agree we should get some clarification on this.
>
> There's a memo on the IETF site that may clarify some things here...
>
> http://www.ietf.org/ietf/IPR/RSA-MD-all
>
> I'm not sure if this helps us or not, it says that derivative works
> can be sold, but doesn't seem to explicitly say if they can be
> distributed. Wouldn't "sold" imply distribution though? If someone
> with more of a clue in this matter could take a look and see if that
> memo resolves things, or if we need to do some more leg work to be
> sure that would be great.
Uhh, anyone? It'd be really great if someone with more clue in this
are (Cliff, Roy, one of our lawyers, etc) could take a look at this
and let me know if it resolves our problem or not. If not, I'll look
into an alternate solution (either asking RSA for an explicit
clarification or replacing the code somehow).
Thanks,
-garrett
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 10/17/06, Cliff Schmidt <cl...@gmail.com> wrote:
> Joe,
>
> Not seeing the word "distribute" in the license, I would agree this
> needs to be clarified. There's an interesting mix of copyright terms
> ("copy", "derivative works"), patent terms ("use", "make"), and even
> an attribution requirement that is typically associated with
> distribution. However, without a word like "distribute" (or even
> "communicate"), I agree we should get some clarification on this.
There's a memo on the IETF site that may clarify some things here...
http://www.ietf.org/ietf/IPR/RSA-MD-all
I'm not sure if this helps us or not, it says that derivative works
can be sold, but doesn't seem to explicitly say if they can be
distributed. Wouldn't "sold" imply distribution though? If someone
with more of a clue in this matter could take a look and see if that
memo resolves things, or if we need to do some more leg work to be
sure that would be great.
Thanks,
-garrett
Re: MD4/MD5 implementation is non-free
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 10/17/06, Cliff Schmidt <cl...@gmail.com> wrote:
> Joe,
>
> Not seeing the word "distribute" in the license, I would agree this
> needs to be clarified. There's an interesting mix of copyright terms
> ("copy", "derivative works"), patent terms ("use", "make"), and even
> an attribution requirement that is typically associated with
> distribution. However, without a word like "distribute" (or even
> "communicate"), I agree we should get some clarification on this.
There's a memo on the IETF site that may clarify some things here...
http://www.ietf.org/ietf/IPR/RSA-MD-all
I'm not sure if this helps us or not, it says that derivative works
can be sold, but doesn't seem to explicitly say if they can be
distributed. Wouldn't "sold" imply distribution though? If someone
with more of a clue in this matter could take a look and see if that
memo resolves things, or if we need to do some more leg work to be
sure that would be great.
Thanks,
-garrett
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Cliff Schmidt <cl...@gmail.com>.
Joe,
Not seeing the word "distribute" in the license, I would agree this
needs to be clarified. There's an interesting mix of copyright terms
("copy", "derivative works"), patent terms ("use", "make"), and even
an attribution requirement that is typically associated with
distribution. However, without a word like "distribute" (or even
"communicate"), I agree we should get some clarification on this.
Cliff
On 10/16/06, Joe Orton <jo...@redhat.com> wrote:
> An argument has been made that the third-party MD4/MD5 code in APR
> (specifically, APR-util) is licensed such that it is not permissible to
> distribute modified works.
>
> Could we get confirmation of this interpretation? The license header
> reads as follows:
>
> * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
> * rights reserved.
> *
> * License to copy and use this software is granted provided that it
> * is identified as the "RSA Data Security, Inc. MD4 Message-Digest
> * Algorithm" in all material mentioning or referencing this software
> * or this function.
> *
> * License is also granted to make and use derivative works provided
> * that such works are identified as "derived from the RSA Data
> * Security, Inc. MD4 Message-Digest Algorithm" in all material
> * mentioning or referencing the derived work.
> *
> * RSA Data Security, Inc. makes no representations concerning either
> * the merchantability of this software or the suitability of this
> * software for any particular purpose. It is provided "as is"
> * without express or implied warranty of any kind.
> *
> * These notices must be retained in any copies of any part of this
> * documentation and/or software.
>
>
>
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only. Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF. See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 16, 2006, at 12:44 PM, Roy T. Fielding wrote:
>> Could we get confirmation of this interpretation?
>
> Did the person who made that argument substantiate it?
This was included in a prior message to dev@apr by Tollef Fog Heen:
For those who don't know me, I'm one of the Debian Apache (and APR)
maintainers. Some time ago, we received a bug report (
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340538
but bugs.d.o is down right now, mirror at http://url.err.no/hxnxhq )
about the MD4 and MD5 implementations in apr-util being non-free and
possibly [non]distributable.
The bug reporter seems to be taking individual copyright notices
out of context and assuming that no license exists just because it
isn't present within the files. *shrug*
....Roy
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Colm MacCarthaigh <co...@stdlib.net>.
On Mon, Oct 16, 2006 at 11:48:05PM +0200, Tollef Fog Heen wrote:
> * Colm MacCarthaigh
>
> | I hate these damn things, alerting us to these stupid nits only causes
> | any theoritical infringement to become willful and over time worsens our
> | code-base. Anyway, our time would probably be better spent just asking
> | RSA for a slightly modified license.
>
> I'm no happier for this than you are and I can't see it being a
> realistic threat. However, we're technically in the grey area and I'd
> rather have us be totally clear. I'd also like to not carry some
> silly patch and have to rip out the RSA MD4/MD5 code of every future
> tarball released by the APR project because you and Debian disagree
> about what's safe and what's not, licence-wise.
>
> However, note that there is a public-domain MD4 and MD5 implementation
> (written by Solar Designer) which I've adapted to work in APR and put
> in the Debian APR packages and which works well there. So this isn't
> some big effort which you suddenly have to take on; a patch is already
> present.
This is 10-year old code, that's a long time for any potential bugs to
have been shaken out. It's also the reference implementation, which
basically makes it bug-free by definition in the first place.
The technical reasons for keeping that code are very compelling imo,
which is why I suggest just asking RSA.
> I have heard some rumours that you are not too happy about code being
> in the public domain, so I have taken the liberty of talking with
> Solar Designer over this:
The concept of a public domain does not generally exist outside of the
US. Generally instead a very liberal unilateral license is instead
preferred.
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
Re: MD4/MD5 implementation is non-free
Posted by Tollef Fog Heen <tf...@err.no>.
* Colm MacCarthaigh
| I hate these damn things, alerting us to these stupid nits only causes
| any theoritical infringement to become willful and over time worsens our
| code-base. Anyway, our time would probably be better spent just asking
| RSA for a slightly modified license.
I'm no happier for this than you are and I can't see it being a
realistic threat. However, we're technically in the grey area and I'd
rather have us be totally clear. I'd also like to not carry some
silly patch and have to rip out the RSA MD4/MD5 code of every future
tarball released by the APR project because you and Debian disagree
about what's safe and what's not, licence-wise.
However, note that there is a public-domain MD4 and MD5 implementation
(written by Solar Designer) which I've adapted to work in APR and put
in the Debian APR packages and which works well there. So this isn't
some big effort which you suddenly have to take on; a patch is already
present.
I have heard some rumours that you are not too happy about code being
in the public domain, so I have taken the liberty of talking with
Solar Designer over this:
> I was wondering if it would be possible to have your MD4 and MD5
> implementations ASL or BSD licenced in addition to being in the
> public domain.
I'm afraid not. In my understanding, when I place something in the
public domain, I disclaim any copyright interest in it - so I no
longer have a right to place it under a license. Well, technically
I may try to do so, but my understanding is that such a license
would be void (at least in jurisdictions that do recognize public
domain) and/or this fact could be used to dispute the public domain
status of the software.
And in a later mail:
Thinking of it some more, I realize that if my placing in the public
domain has "worked", then anyone including me can also release this
same software (or a derivative of it) under a license. Someone
might interpret my doing so as me claiming copyright on the original
work instead of placing it in the public domain. Someone else might
interpret it as me claiming copyright on a derivative of the public
domain work.
I'm not sure I agree with his reasoning, but I would be grateful for
any help you could give me finding a reasonable course of action so we
can get this cleaned up. Also, if somebody could point me to a
reasoning for the waryness of using PD code which I could send to
Solar Designer, that would be useful.
His licence statement reads:
/*
* This is an OpenSSL-compatible implementation of the RSA Data Security,
* Inc. MD5 Message-Digest Algorithm.
*
* Written by Solar Designer <so...@openwall.com> in 2001, and placed in
* the public domain. There's absolutely no warranty.
*/
If we want it explicit that public domain means «you can distribute,
modify and distribute modified versions freely, for any purpose», I
think I can get that added. (It seems like that was an issue when
Jakarta Commons Math wanted to incorporate code from the JAMA matrix
package almost two years ago.)
--
Tollef Fog Heen ,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Tollef Fog Heen <tf...@err.no>.
* Colm MacCarthaigh
| I hate these damn things, alerting us to these stupid nits only causes
| any theoritical infringement to become willful and over time worsens our
| code-base. Anyway, our time would probably be better spent just asking
| RSA for a slightly modified license.
I'm no happier for this than you are and I can't see it being a
realistic threat. However, we're technically in the grey area and I'd
rather have us be totally clear. I'd also like to not carry some
silly patch and have to rip out the RSA MD4/MD5 code of every future
tarball released by the APR project because you and Debian disagree
about what's safe and what's not, licence-wise.
However, note that there is a public-domain MD4 and MD5 implementation
(written by Solar Designer) which I've adapted to work in APR and put
in the Debian APR packages and which works well there. So this isn't
some big effort which you suddenly have to take on; a patch is already
present.
I have heard some rumours that you are not too happy about code being
in the public domain, so I have taken the liberty of talking with
Solar Designer over this:
> I was wondering if it would be possible to have your MD4 and MD5
> implementations ASL or BSD licenced in addition to being in the
> public domain.
I'm afraid not. In my understanding, when I place something in the
public domain, I disclaim any copyright interest in it - so I no
longer have a right to place it under a license. Well, technically
I may try to do so, but my understanding is that such a license
would be void (at least in jurisdictions that do recognize public
domain) and/or this fact could be used to dispute the public domain
status of the software.
And in a later mail:
Thinking of it some more, I realize that if my placing in the public
domain has "worked", then anyone including me can also release this
same software (or a derivative of it) under a license. Someone
might interpret my doing so as me claiming copyright on the original
work instead of placing it in the public domain. Someone else might
interpret it as me claiming copyright on a derivative of the public
domain work.
I'm not sure I agree with his reasoning, but I would be grateful for
any help you could give me finding a reasonable course of action so we
can get this cleaned up. Also, if somebody could point me to a
reasoning for the waryness of using PD code which I could send to
Solar Designer, that would be useful.
His licence statement reads:
/*
* This is an OpenSSL-compatible implementation of the RSA Data Security,
* Inc. MD5 Message-Digest Algorithm.
*
* Written by Solar Designer <so...@openwall.com> in 2001, and placed in
* the public domain. There's absolutely no warranty.
*/
If we want it explicit that public domain means «you can distribute,
modify and distribute modified versions freely, for any purpose», I
think I can get that added. (It seems like that was an issue when
Jakarta Commons Math wanted to incorporate code from the JAMA matrix
package almost two years ago.)
--
Tollef Fog Heen ,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-
Re: MD4/MD5 implementation is non-free
Posted by Colm MacCarthaigh <co...@stdlib.net>.
On Mon, Oct 16, 2006 at 10:07:45PM +0200, Tollef Fog Heen wrote:
> Note also that even if copyright law works that way in jurisdictions
> you are familiar with, there's no guarantee it works that way in every
> jurisdiction. Better safe than sorry. IMO, at least.
Copyright law is largely harmonised by the Berne convention and later
various other WIPO conventions, which is usually the context in which we
discuss these things.
Convention vests all copy-rights for a derivative work with the owner of
the original copyrights (from which the work was derived) unless the
owner explictly disclaims them. Even, if this were not the case, the
very first paragraph of the RSA license tells us all we need to know;
"All rights reserved."
which would likely trump any copy + derivability = copyable derivative
theory in any court.
It is possible to have a license which allows from the creation of
non-distributable derivatives - while still allowing you to distribute
copies of the original - in some countries the so-called artistic rights
can play a role here too. (An artist might let you sell prints of their
painting, but you're not allowed distribute modified versions - for
reasons of artistic integrity, but you may be allowed to create modified
versions for promotional purposes).
But then all sorts of jurisdictions have other various "rights". In
Europe, it's common for there to be only a very limited right to reverse
engineer or study for the purpose of interoperability. If we were to go
down the road of insisting everything iterate every possble limited
right accross all jurisdictions, it could get very messy very quickly.
So it probably would be ever so slightly pedantically more correct to
have an explicit term allowing the distribution of derivatives, but from
here it's hard to see why we should care, RSA sure don't. This code has
been in there over a decade, is published in RFC1320 and it was clearly
intended to be liberally licensed, what on earth possible damages could
there be for this theoritical infringement?
In other words, when you intersect this kind of anal technical and
theoritical problem with the real world, it becomes non-existant. What's
the actual threat?
I hate these damn things, alerting us to these stupid nits only causes
any theoritical infringement to become willful and over time worsens our
code-base. Anyway, our time would probably be better spent just asking
RSA for a slightly modified license.
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Colm MacCarthaigh <co...@stdlib.net>.
On Mon, Oct 16, 2006 at 10:07:45PM +0200, Tollef Fog Heen wrote:
> Note also that even if copyright law works that way in jurisdictions
> you are familiar with, there's no guarantee it works that way in every
> jurisdiction. Better safe than sorry. IMO, at least.
Copyright law is largely harmonised by the Berne convention and later
various other WIPO conventions, which is usually the context in which we
discuss these things.
Convention vests all copy-rights for a derivative work with the owner of
the original copyrights (from which the work was derived) unless the
owner explictly disclaims them. Even, if this were not the case, the
very first paragraph of the RSA license tells us all we need to know;
"All rights reserved."
which would likely trump any copy + derivability = copyable derivative
theory in any court.
It is possible to have a license which allows from the creation of
non-distributable derivatives - while still allowing you to distribute
copies of the original - in some countries the so-called artistic rights
can play a role here too. (An artist might let you sell prints of their
painting, but you're not allowed distribute modified versions - for
reasons of artistic integrity, but you may be allowed to create modified
versions for promotional purposes).
But then all sorts of jurisdictions have other various "rights". In
Europe, it's common for there to be only a very limited right to reverse
engineer or study for the purpose of interoperability. If we were to go
down the road of insisting everything iterate every possble limited
right accross all jurisdictions, it could get very messy very quickly.
So it probably would be ever so slightly pedantically more correct to
have an explicit term allowing the distribution of derivatives, but from
here it's hard to see why we should care, RSA sure don't. This code has
been in there over a decade, is published in RFC1320 and it was clearly
intended to be liberally licensed, what on earth possible damages could
there be for this theoritical infringement?
In other words, when you intersect this kind of anal technical and
theoritical problem with the real world, it becomes non-existant. What's
the actual threat?
I hate these damn things, alerting us to these stupid nits only causes
any theoritical infringement to become willful and over time worsens our
code-base. Anyway, our time would probably be better spent just asking
RSA for a slightly modified license.
--
Colm MacCárthaigh Public Key: colm+pgp@stdlib.net
Re: MD4/MD5 implementation is non-free
Posted by Tollef Fog Heen <tf...@err.no>.
* "Roy T. Fielding"
| On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
|
| > An argument has been made that the third-party MD4/MD5 code in APR
| > (specifically, APR-util) is licensed such that it is not
| > permissible to distribute modified works.
|
| AIUI, copyright law has separate restrictions on "to make ...
| derivative works" from the restrictions on reproducing works, and
| thus the text is merely reflecting each of the permissions needed
| in turn. In other words, if you have a license to copy and a license
| to make derivative works, then you have a license to redistribute
| the derivative works as well, since the derivative work is
| covered either by the original's license-to-copy or by the new
| copyright of the entity that created the derivative work.
IANAL, but that's not how Debian interprets licences. You don't have
any rights not explicitly granted, and a right to make derivative
works and a right to distribute the software does not give you the
right of distributing derivative works.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340538 is the
original bug report.
Note also that even if copyright law works that way in jurisdictions
you are familiar with, there's no guarantee it works that way in every
jurisdiction. Better safe than sorry. IMO, at least.
--
Tollef Fog Heen ,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-
Re: MD4/MD5 implementation is non-free
Posted by Tollef Fog Heen <tf...@err.no>.
* "Roy T. Fielding"
| On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
|
| > An argument has been made that the third-party MD4/MD5 code in APR
| > (specifically, APR-util) is licensed such that it is not
| > permissible to distribute modified works.
|
| AIUI, copyright law has separate restrictions on "to make ...
| derivative works" from the restrictions on reproducing works, and
| thus the text is merely reflecting each of the permissions needed
| in turn. In other words, if you have a license to copy and a license
| to make derivative works, then you have a license to redistribute
| the derivative works as well, since the derivative work is
| covered either by the original's license-to-copy or by the new
| copyright of the entity that created the derivative work.
IANAL, but that's not how Debian interprets licences. You don't have
any rights not explicitly granted, and a right to make derivative
works and a right to distribute the software does not give you the
right of distributing derivative works.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340538 is the
original bug report.
Note also that even if copyright law works that way in jurisdictions
you are familiar with, there's no guarantee it works that way in every
jurisdiction. Better safe than sorry. IMO, at least.
--
Tollef Fog Heen ,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 16, 2006, at 12:44 PM, Roy T. Fielding wrote:
>> Could we get confirmation of this interpretation?
>
> Did the person who made that argument substantiate it?
This was included in a prior message to dev@apr by Tollef Fog Heen:
For those who don't know me, I'm one of the Debian Apache (and APR)
maintainers. Some time ago, we received a bug report (
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340538
but bugs.d.o is down right now, mirror at http://url.err.no/hxnxhq )
about the MD4 and MD5 implementations in apr-util being non-free and
possibly [non]distributable.
The bug reporter seems to be taking individual copyright notices
out of context and assuming that no license exists just because it
isn't present within the files. *shrug*
....Roy
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 16, 2006, at 9:02 PM, Jeffrey Thompson wrote:
> "Roy T. Fielding" <fi...@gbiv.com> wrote on 10/16/2006 03:44:20 PM:
>> On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
>>
>>> An argument has been made that the third-party MD4/MD5 code in APR
>>> (specifically, APR-util) is licensed such that it is not
>>> permissible to
>>> distribute modified works.
>>
>> AIUI, copyright law has separate restrictions on "to make ...
>> derivative works" from the restrictions on reproducing works, and
>> thus the text is merely reflecting each of the permissions needed
>> in turn. In other words, if you have a license to copy and a license
>> to make derivative works, then you have a license to redistribute
>> the derivative works as well, since the derivative work is
>> covered either by the original's license-to-copy or by the new
>> copyright of the entity that created the derivative work.
>>
>> The intent of this "licensed" interpretation is further evidenced
>> by the requirement that derivative works contain a notice that they
>> are "derived from ...", since such a notice would serve no useful
>> purpose if the person was not allowed to make copies.
>>
> Roy, but the issue here isn't copies, its distribution. Remember that
> copyright was originally designed for books where the copying step was
> separate from the distribution step and was usually performed by
> someone
> other than the distributor. Just because I'm allowed to make an
> unlimited
> number of copies of a piece of software, that does not mean that I'm
> allowed to provide a single one of those to another party.
Ouch! You are, of course, quite right -- I completely missed that
"copy and use" was not equivalent to distribution. For others, you
can see the distinction in
http://www.copyright.gov/title17/92chap1.html#106
It didn't occur to me that they might only be licensing personal
use copies. Blech.
> So, that leaves us with a situation where, if the text presented is
> the
> only means of getting the right to distribute, we may have a problem.
> There may be another license somewhere that covers this code. Then
> again,
> there may not. A clarification from RSA might be in order.
The origin is
http://www.ietf.org/rfc/rfc1321.txt
which may or may not help.
....Roy
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 16, 2006, at 9:02 PM, Jeffrey Thompson wrote:
> "Roy T. Fielding" <fi...@gbiv.com> wrote on 10/16/2006 03:44:20 PM:
>> On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
>>
>>> An argument has been made that the third-party MD4/MD5 code in APR
>>> (specifically, APR-util) is licensed such that it is not
>>> permissible to
>>> distribute modified works.
>>
>> AIUI, copyright law has separate restrictions on "to make ...
>> derivative works" from the restrictions on reproducing works, and
>> thus the text is merely reflecting each of the permissions needed
>> in turn. In other words, if you have a license to copy and a license
>> to make derivative works, then you have a license to redistribute
>> the derivative works as well, since the derivative work is
>> covered either by the original's license-to-copy or by the new
>> copyright of the entity that created the derivative work.
>>
>> The intent of this "licensed" interpretation is further evidenced
>> by the requirement that derivative works contain a notice that they
>> are "derived from ...", since such a notice would serve no useful
>> purpose if the person was not allowed to make copies.
>>
> Roy, but the issue here isn't copies, its distribution. Remember that
> copyright was originally designed for books where the copying step was
> separate from the distribution step and was usually performed by
> someone
> other than the distributor. Just because I'm allowed to make an
> unlimited
> number of copies of a piece of software, that does not mean that I'm
> allowed to provide a single one of those to another party.
Ouch! You are, of course, quite right -- I completely missed that
"copy and use" was not equivalent to distribution. For others, you
can see the distinction in
http://www.copyright.gov/title17/92chap1.html#106
It didn't occur to me that they might only be licensing personal
use copies. Blech.
> So, that leaves us with a situation where, if the text presented is
> the
> only means of getting the right to distribute, we may have a problem.
> There may be another license somewhere that covers this code. Then
> again,
> there may not. A clarification from RSA might be in order.
The origin is
http://www.ietf.org/rfc/rfc1321.txt
which may or may not help.
....Roy
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
"Roy T. Fielding" <fi...@gbiv.com> wrote on 10/16/2006 03:44:20 PM:
> On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
>
> > An argument has been made that the third-party MD4/MD5 code in APR
> > (specifically, APR-util) is licensed such that it is not
> > permissible to
> > distribute modified works.
>
> AIUI, copyright law has separate restrictions on "to make ...
> derivative works" from the restrictions on reproducing works, and
> thus the text is merely reflecting each of the permissions needed
> in turn. In other words, if you have a license to copy and a license
> to make derivative works, then you have a license to redistribute
> the derivative works as well, since the derivative work is
> covered either by the original's license-to-copy or by the new
> copyright of the entity that created the derivative work.
>
> The intent of this "licensed" interpretation is further evidenced
> by the requirement that derivative works contain a notice that they
> are "derived from ...", since such a notice would serve no useful
> purpose if the person was not allowed to make copies.
>
Roy, but the issue here isn't copies, its distribution. Remember that
copyright was originally designed for books where the copying step was
separate from the distribution step and was usually performed by someone
other than the distributor. Just because I'm allowed to make an unlimited
number of copies of a piece of software, that does not mean that I'm
allowed to provide a single one of those to another party.
So, that leaves us with a situation where, if the text presented is the
only means of getting the right to distribute, we may have a problem.
There may be another license somewhere that covers this code. Then again,
there may not. A clarification from RSA might be in order.
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: MD4/MD5 implementation is non-free
Posted by Jeffrey Thompson <jt...@us.ibm.com>.
"Roy T. Fielding" <fi...@gbiv.com> wrote on 10/16/2006 03:44:20 PM:
> On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
>
> > An argument has been made that the third-party MD4/MD5 code in APR
> > (specifically, APR-util) is licensed such that it is not
> > permissible to
> > distribute modified works.
>
> AIUI, copyright law has separate restrictions on "to make ...
> derivative works" from the restrictions on reproducing works, and
> thus the text is merely reflecting each of the permissions needed
> in turn. In other words, if you have a license to copy and a license
> to make derivative works, then you have a license to redistribute
> the derivative works as well, since the derivative work is
> covered either by the original's license-to-copy or by the new
> copyright of the entity that created the derivative work.
>
> The intent of this "licensed" interpretation is further evidenced
> by the requirement that derivative works contain a notice that they
> are "derived from ...", since such a notice would serve no useful
> purpose if the person was not allowed to make copies.
>
Roy, but the issue here isn't copies, its distribution. Remember that
copyright was originally designed for books where the copying step was
separate from the distribution step and was usually performed by someone
other than the distributor. Just because I'm allowed to make an unlimited
number of copies of a piece of software, that does not mean that I'm
allowed to provide a single one of those to another party.
So, that leaves us with a situation where, if the text presented is the
only means of getting the right to distribute, we may have a problem.
There may be another license somewhere that covers this code. Then again,
there may not. A clarification from RSA might be in order.
Jeff
Staff Counsel, IBM Corporation (914)766-1757 (tie)8-826 (fax) -8160
(notes) jthom@ibmus (internet) jthom@us.ibm.com (home) jeff@beff.net
(web) http://www.beff.net/
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
> An argument has been made that the third-party MD4/MD5 code in APR
> (specifically, APR-util) is licensed such that it is not
> permissible to
> distribute modified works.
AIUI, copyright law has separate restrictions on "to make ...
derivative works" from the restrictions on reproducing works, and
thus the text is merely reflecting each of the permissions needed
in turn. In other words, if you have a license to copy and a license
to make derivative works, then you have a license to redistribute
the derivative works as well, since the derivative work is
covered either by the original's license-to-copy or by the new
copyright of the entity that created the derivative work.
The intent of this "licensed" interpretation is further evidenced
by the requirement that derivative works contain a notice that they
are "derived from ...", since such a notice would serve no useful
purpose if the person was not allowed to make copies.
> Could we get confirmation of this interpretation?
Did the person who made that argument substantiate it?
I think the interpretation is bogus, and RSA would have
complained by now if it had any reason to do so. We have been
distributing that code for at least 10 years. But it would be
nice to get confirmation from a lawyer that copyright law does
indeed work the way that I presume above.
....Roy
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by Cliff Schmidt <cl...@gmail.com>.
Joe,
Not seeing the word "distribute" in the license, I would agree this
needs to be clarified. There's an interesting mix of copyright terms
("copy", "derivative works"), patent terms ("use", "make"), and even
an attribution requirement that is typically associated with
distribution. However, without a word like "distribute" (or even
"communicate"), I agree we should get some clarification on this.
Cliff
On 10/16/06, Joe Orton <jo...@redhat.com> wrote:
> An argument has been made that the third-party MD4/MD5 code in APR
> (specifically, APR-util) is licensed such that it is not permissible to
> distribute modified works.
>
> Could we get confirmation of this interpretation? The license header
> reads as follows:
>
> * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
> * rights reserved.
> *
> * License to copy and use this software is granted provided that it
> * is identified as the "RSA Data Security, Inc. MD4 Message-Digest
> * Algorithm" in all material mentioning or referencing this software
> * or this function.
> *
> * License is also granted to make and use derivative works provided
> * that such works are identified as "derived from the RSA Data
> * Security, Inc. MD4 Message-Digest Algorithm" in all material
> * mentioning or referencing the derived work.
> *
> * RSA Data Security, Inc. makes no representations concerning either
> * the merchantability of this software or the suitability of this
> * software for any particular purpose. It is provided "as is"
> * without express or implied warranty of any kind.
> *
> * These notices must be retained in any copies of any part of this
> * documentation and/or software.
>
>
>
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only. Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF. See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only. Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF. See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: MD4/MD5 implementation is non-free
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 16, 2006, at 3:38 AM, Joe Orton wrote:
> An argument has been made that the third-party MD4/MD5 code in APR
> (specifically, APR-util) is licensed such that it is not
> permissible to
> distribute modified works.
AIUI, copyright law has separate restrictions on "to make ...
derivative works" from the restrictions on reproducing works, and
thus the text is merely reflecting each of the permissions needed
in turn. In other words, if you have a license to copy and a license
to make derivative works, then you have a license to redistribute
the derivative works as well, since the derivative work is
covered either by the original's license-to-copy or by the new
copyright of the entity that created the derivative work.
The intent of this "licensed" interpretation is further evidenced
by the requirement that derivative works contain a notice that they
are "derived from ...", since such a notice would serve no useful
purpose if the person was not allowed to make copies.
> Could we get confirmation of this interpretation?
Did the person who made that argument substantiate it?
I think the interpretation is bogus, and RSA would have
complained by now if it had any reason to do so. We have been
distributing that code for at least 10 years. But it would be
nice to get confirmation from a lawyer that copyright law does
indeed work the way that I presume above.
....Roy